diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 85de3d0..33c9845 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -134,6 +134,12 @@ become: false become_user: "{{ ansible_user }}" +- name: Provision TLS certificate for Gitea + ansible.builtin.include_tasks: "{{ role_path }}/../nginx/tasks/certbot.yml" + vars: + certbot_hostname: "{{ gitea_nginx_hostname }}" + when: gitea_nginx_enabled + - name: Deploy nginx vhost configuration for Gitea ansible.builtin.template: src: nginx-vhost.conf.j2 diff --git a/roles/gitea/templates/gitea.service.j2 b/roles/gitea/templates/gitea.service.j2 index 00e8a89..b1e0d8e 100644 --- a/roles/gitea/templates/gitea.service.j2 +++ b/roles/gitea/templates/gitea.service.j2 @@ -5,7 +5,7 @@ Description=Gitea Git Service Type=oneshot RemainAfterExit=true WorkingDirectory={{ podman_projects_dir | default('/opt/podman') }}/gitea -ExecStart=/usr/bin/podman play kube --replace gitea.yaml +ExecStart=/usr/bin/podman play kube --replace --network=pasta:--map-host-loopback={{ podman_gw_gateway }} gitea.yaml ExecStop=/usr/bin/podman play kube --down gitea.yaml Restart=on-failure RestartSec=10 diff --git a/roles/immich/defaults/main.yml b/roles/immich/defaults/main.yml index cdfbb0d..827e758 100644 --- a/roles/immich/defaults/main.yml +++ b/roles/immich/defaults/main.yml @@ -9,13 +9,13 @@ immich_upload_location: "{{ podman_projects_dir }}/immich/data/upload" immich_postgres_db_name: immich immich_postgres_user: immich # immich_postgres_password: "" # Intentionally undefined - role will fail if not set -# immich_postgres_host: "" # Must be set in inventory (e.g., podman_gw_gateway) +# immich_postgres_host: "" # Must be set in inventory (e.g., "{{ podman_gw_gateway }}" to reach host postgres) immich_postgres_port: 5432 # Valkey configuration (REQUIRED password - must be set explicitly) immich_valkey_user: immich # immich_valkey_password: "" # Intentionally undefined - role will fail if not set -# immich_valkey_host: "" # Must be set in inventory (e.g., podman_gw_gateway) +# immich_valkey_host: "" # Must be set in inventory (e.g., "{{ podman_gw_gateway }}" to reach host valkey) immich_valkey_port: 6379 immich_valkey_db: 0 # Dedicated database number for isolation (0-15) diff --git a/roles/immich/tasks/main.yml b/roles/immich/tasks/main.yml index c50988c..88496f9 100644 --- a/roles/immich/tasks/main.yml +++ b/roles/immich/tasks/main.yml @@ -57,6 +57,18 @@ - earthdistance - vector +- name: Update PostgreSQL extensions to latest available version + community.postgresql.postgresql_query: + login_db: "{{ immich_postgres_db_name }}" + query: "ALTER EXTENSION {{ item }} UPDATE" + become: false + become_user: "{{ postgres_admin_user | default('postgres') }}" + loop: + - cube + - earthdistance + - vector + changed_when: false + - name: Grant schema permissions to Immich user community.postgresql.postgresql_privs: login_db: "{{ immich_postgres_db_name }}" @@ -144,6 +156,12 @@ become: false become_user: "{{ ansible_user }}" +- name: Provision TLS certificate for Immich + ansible.builtin.include_tasks: "{{ role_path }}/../nginx/tasks/certbot.yml" + vars: + certbot_hostname: "{{ immich_nginx_hostname }}" + when: immich_nginx_enabled + - name: Deploy nginx vhost configuration for Immich ansible.builtin.template: src: nginx-vhost.conf.j2 diff --git a/roles/immich/templates/immich.service.j2 b/roles/immich/templates/immich.service.j2 index 7bd3c90..5c4934b 100644 --- a/roles/immich/templates/immich.service.j2 +++ b/roles/immich/templates/immich.service.j2 @@ -5,7 +5,7 @@ Description=Immich Media Server Type=oneshot RemainAfterExit=true WorkingDirectory={{ podman_projects_dir | default('/opt/podman') }}/immich -ExecStart=/usr/bin/podman play kube --replace immich.yaml +ExecStart=/usr/bin/podman play kube --replace --network=pasta:--map-host-loopback={{ podman_gw_gateway }} immich.yaml ExecStop=/usr/bin/podman play kube --down immich.yaml Restart=on-failure RestartSec=10 diff --git a/roles/immich/templates/immich.yaml.j2 b/roles/immich/templates/immich.yaml.j2 index 4fed5a7..8559ee4 100644 --- a/roles/immich/templates/immich.yaml.j2 +++ b/roles/immich/templates/immich.yaml.j2 @@ -5,9 +5,6 @@ metadata: name: immich labels: app: immich - annotations: - io.podman.annotations.network.mode: bridge - io.podman.annotations.network.name: podman-gw spec: containers: - name: server diff --git a/roles/ntfy/templates/ntfy.service.j2 b/roles/ntfy/templates/ntfy.service.j2 index c56c296..a45c957 100644 --- a/roles/ntfy/templates/ntfy.service.j2 +++ b/roles/ntfy/templates/ntfy.service.j2 @@ -5,7 +5,7 @@ Description=Ntfy Notification Service Type=oneshot RemainAfterExit=true WorkingDirectory={{ podman_projects_dir | default('/opt/podman') }}/ntfy -ExecStart=/usr/bin/podman play kube --replace ntfy.yaml +ExecStart=/usr/bin/podman play kube --replace --network=pasta:--map-host-loopback={{ podman_gw_gateway }} ntfy.yaml ExecStop=/usr/bin/podman play kube --down ntfy.yaml Restart=on-failure RestartSec=10 diff --git a/roles/podman/defaults/main.yml b/roles/podman/defaults/main.yml index 8b46050..d79ff8c 100644 --- a/roles/podman/defaults/main.yml +++ b/roles/podman/defaults/main.yml @@ -18,3 +18,8 @@ podman_log_driver: journald # k8s-file driver settings (only used when podman_log_driver: k8s-file) podman_log_max_size: 10mb # Max size per log file before rotation podman_log_max_files: 5 # Max number of rotated log files to keep + +# Host gateway address exposed inside rootless containers (pasta --map-host-loopback) +# Containers can connect to this address to reach services bound to host loopback. +# Pasta translates the destination to 127.0.0.1 on the host side. +podman_gw_gateway: 100.64.0.1 diff --git a/roles/podman/templates/containers.conf.j2 b/roles/podman/templates/containers.conf.j2 index 8fa0270..2efa910 100644 --- a/roles/podman/templates/containers.conf.j2 +++ b/roles/podman/templates/containers.conf.j2 @@ -29,5 +29,12 @@ runtime = "{{ podman_runtime }}" network_backend = "netavark" [network] -# Default rootless network command (pasta for better performance) +# Default rootless network command (pasta for better performance). +# Note: default_rootless_network_cmd only accepts the mode name ("pasta" or +# "slirp4netns"). Extra pasta arguments must be set via pasta_options below; +# the "pasta:--arg=value" syntax is only valid for the CLI --network= flag. default_rootless_network_cmd = "pasta" + +# --map-host-loopback exposes the host's loopback to containers via {{ podman_gw_gateway }}. +# Containers connecting to {{ podman_gw_gateway }} reach host services bound to 127.0.0.1. +pasta_options = ["--map-host-loopback", "{{ podman_gw_gateway }}"]